Fortinet black logo

FortiLink over Multi-vendor Networks Using VXLAN

Home FortiSwitch 7.2.2 FortiLink over Multi-vendor Networks Using VXLAN
7.2.2
7.4.0
7.2.2

Design overview

Design overview

Use case and topology

The following figure shows the minimum topology of FortiLink over VXLAN using an IPv4 network.

Design concept and considerations

There are three methods to use FortiLink to manage FortiSwitch units:

  • FortiLink over a layer-2 network

    This method requires a direct connection between the FortiSwitch unit and FortiGate device. In this document, a control path is where a FortiGate device sends and receives packets to manage a FortiSwitch unit. A data path is where data packets are being forwarded and transmitted between a FortiSwitch unit and a FortiGate device. As the FortiGate device and FortiSwitch unit are directly connected, the control path goes through this direct connection. For the data path, the FortiSwitch unit forwards data packets within a VLAN (layer-2 data path); the FortiGate device forwards data packets between different VLANs (layer-3 data path). All FortiSwitch models support this method.

  • FortiLink over a layer-3 network

    This method connects the FortiSwitch unit and FortiGate device through any IPv4 network (and IPv6 networks in a future release). The IPv4 network can be built with third-party devices. In this method, the control path is established over the IPv4 network. Unlike using FortiLink over a layer-2 network, the FortiGate device does not automatically use the FortiSwitch unit to handle the data path. This means that the local gateway in the following figure will handle inter-VLAN traffic, but the local gateway is not managed by FortiLink. All FortiSwitch models support this method.

  • FortiLink over VXLAN

    This method connects the FortiSwitch unit and FortiGate device through any IPv4 network with an MTU overhead of 50 bytes. The FortiSwitch unit forwards FortiSwitch VLANs (user traffic) using VXLAN to the FortiGate device to route traffic based on firewall policies. Refer to the Feature Matrix for details about which FortiSwitch models support VXLAN.

    Both the control path and data path are VXLAN encapsulated. So FortiLink over VXLAN is logically equivalent to FortiLink over layer 2 when the FortiSwitch unit supports a hardware-based VXLAN.

    The VXLAN tunnel is statically configured and established​ (that is, no EVPN).

Requirements

The following are required for FortiLink over VXLAN:

  • MTU

    At least 1,550 bytes of MTU are required, if the MTU of the overlay network is 1,500 bytes. Because the FortiSwitch unit does not support fragmentation or re-assembly, you need to adjust the MTU to avoid fragmentation.

  • Multicast

    Hardware-based VXLAN on the FortiSwitch unit supports BUM (Broadcast, Unknown Unicast, and Multicast) replication, so you do not have to run multicast routing on the underlay network.

  • Routing

    Static routing was used in the deployment described in this document, but dynamic routing is also supported.

  • NAT

    Virtual IP (VIP) network address translation (NAT) can be used along with FortiLink over VXLAN.

  • IPsec

    IPsec can be used along with FortiLink over VXLAN.

  • To forward FortiSwitch VLANs over VXLAN by hardware, a physical loopback cable and the corresponding configuration are required.

VLAN-to-VNI mapping

The 802.1Q tag (4 bytes) contains the VLAN ID, which is 12 bits long. The VXLAN header (8 bytes) contains the VXLAN network identifier (VNI), which is 24 bits long. When both a FortiSwitch unit and a FortiGate device add a VXLAN header on FortiLink over VXLAN, one VNI value is used in most cases, and the original VLAN ID in the 802.1Q tag is retained.

Previous
Next

Design overview

Use case and topology

The following figure shows the minimum topology of FortiLink over VXLAN using an IPv4 network.

Design concept and considerations

There are three methods to use FortiLink to manage FortiSwitch units:

  • FortiLink over a layer-2 network

    This method requires a direct connection between the FortiSwitch unit and FortiGate device. In this document, a control path is where a FortiGate device sends and receives packets to manage a FortiSwitch unit. A data path is where data packets are being forwarded and transmitted between a FortiSwitch unit and a FortiGate device. As the FortiGate device and FortiSwitch unit are directly connected, the control path goes through this direct connection. For the data path, the FortiSwitch unit forwards data packets within a VLAN (layer-2 data path); the FortiGate device forwards data packets between different VLANs (layer-3 data path). All FortiSwitch models support this method.

  • FortiLink over a layer-3 network

    This method connects the FortiSwitch unit and FortiGate device through any IPv4 network (and IPv6 networks in a future release). The IPv4 network can be built with third-party devices. In this method, the control path is established over the IPv4 network. Unlike using FortiLink over a layer-2 network, the FortiGate device does not automatically use the FortiSwitch unit to handle the data path. This means that the local gateway in the following figure will handle inter-VLAN traffic, but the local gateway is not managed by FortiLink. All FortiSwitch models support this method.

  • FortiLink over VXLAN

    This method connects the FortiSwitch unit and FortiGate device through any IPv4 network with an MTU overhead of 50 bytes. The FortiSwitch unit forwards FortiSwitch VLANs (user traffic) using VXLAN to the FortiGate device to route traffic based on firewall policies. Refer to the Feature Matrix for details about which FortiSwitch models support VXLAN.

    Both the control path and data path are VXLAN encapsulated. So FortiLink over VXLAN is logically equivalent to FortiLink over layer 2 when the FortiSwitch unit supports a hardware-based VXLAN.

    The VXLAN tunnel is statically configured and established​ (that is, no EVPN).

Requirements

The following are required for FortiLink over VXLAN:

  • MTU

    At least 1,550 bytes of MTU are required, if the MTU of the overlay network is 1,500 bytes. Because the FortiSwitch unit does not support fragmentation or re-assembly, you need to adjust the MTU to avoid fragmentation.

  • Multicast

    Hardware-based VXLAN on the FortiSwitch unit supports BUM (Broadcast, Unknown Unicast, and Multicast) replication, so you do not have to run multicast routing on the underlay network.

  • Routing

    Static routing was used in the deployment described in this document, but dynamic routing is also supported.

  • NAT

    Virtual IP (VIP) network address translation (NAT) can be used along with FortiLink over VXLAN.

  • IPsec

    IPsec can be used along with FortiLink over VXLAN.

  • To forward FortiSwitch VLANs over VXLAN by hardware, a physical loopback cable and the corresponding configuration are required.

VLAN-to-VNI mapping

The 802.1Q tag (4 bytes) contains the VLAN ID, which is 12 bits long. The VXLAN header (8 bytes) contains the VXLAN network identifier (VNI), which is 24 bits long. When both a FortiSwitch unit and a FortiGate device add a VXLAN header on FortiLink over VXLAN, one VNI value is used in most cases, and the original VLAN ID in the 802.1Q tag is retained.

Previous
Next